Summary & Key Actions Required

Following our investigations, we have concluded that this component is NOT exploitable in its current configuration within Avantra software.

Key Actions Required

  • For the majority of customers, no action is required

  • We do not believe that this component is exploitable in its current configuration within Avantra software however customers that are concerned about this CVE should upgrade to Avantra 23.0.3 or later.

  • Patched components that mitigate this CVE are included in Avantra 23.0.3 or higher.

After completing our analysis of CVE-2022-31692 which we became aware of on 3rd November 2022 and currently has a CVSS score of 9.8 and impacts the software component Spring Security Versions 5.6.0 - 5.6.8 and 5.7.0 - 5.7.4, we have concluded that the component in question is not exploitable in its current state within Avantra software and so no action is required by Avantra software users at this time.

Related security articles:

CVE-2022-31692 Summary

Please see this article for more information:

Impact to Avantra

We have completed our investigations and analysis around this CVE and we believe it is not exploitable within Avantra software today. We will update this article if any of our findings or recommendations change in the future.

Impact on our customers

At present, there is no impact on Avantra customers. For customers concerned about this CVE, we advise updating to Avantra 23.0.3 or higher.

Change Log

31st Mar 2023 @ 14:00 CETUpdated with 23.0.3 release details
4th Nov 2022 @ 14:00 CETAnalysis completed and findings published
3rd Nov 2022 @ 10:00 CETInitial Notice Published

We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.